Cloud Computing, Security Issues and Potential Solution by Using ICMetrics or Biometrics Based Encryption



Similar documents
Analysis of Cloud Computing Vulnerabilities

Cloud Security Who do you trust?

Expert Reference Series of White Papers. 10 Security Concerns for Cloud Computing

Information Security Services

A Survey on Security Issues in Service Delivery Models of Cloud Computing

Keyword: Cloud computing, service model, deployment model, network layer security.

Hedge Funds & the Cloud: The Pros, Cons and Considerations

External Supplier Control Requirements

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

NCTA Cloud Architecture

How To Protect Your Cloud Computing Resources From Attack

FACING SECURITY CHALLENGES

Data Protection: From PKI to Virtualization & Cloud

D. L. Corbet & Assoc., LLC

SURVEY ON VIRTUALIZATION VULNERABILITIES

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

SANS Security 528 CASP Practice Exam

Cloud Computing. What we should be auditing

Security Management of Cloud-Native Applications. Presented By: Rohit Sharma MSc in Dependable Software Systems (DESEM)

Cloud-Security: Show-Stopper or Enabling Technology?

Appendix. Key Areas of Concern. i. Inadequate coverage of cybersecurity risk assessment exercises

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Security Issues In Cloud Computing And Their Solutions

Public Cloud Security: Surviving in a Hostile Multitenant Environment

Securing The Cloud With Confidence. Opinion Piece

InfoSec Academy Application & Secure Code Track

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Cloud Computing and Attacks

10/25/2012 BY VORAPOJ LOOKMAIPUN CISSP, CISA, CISM, CRISC, CEH Agenda. Security Cases What is Cloud? Road Map Security Concerns

Information Security: Business Assurance Guidelines

Cloud Computing: Opportunities, Challenges, and Solutions. Jungwoo Ryoo, Ph.D., CISSP, CISA The Pennsylvania State University

The Magazine for IT Security. May issue 3. sör alex / photocase.com

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Top Ten Technology Risks Facing Colleges and Universities

Cloud Security Who do you trust?

Understanding Sage CRM Cloud

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

A Review on Cloud Computing Vulnerabilities

Cloud Security and Managing Use Risks

Risks and Challenges

External Supplier Control Requirements

College Training Program

Passing PCI Compliance How to Address the Application Security Mandates

Cloud Computing Security Issues And Methods to Overcome

Third Party Security Requirements Policy

Hypervisor Security - A Major Concern

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

Journal of Electronic Banking Systems

Security Model for VM in Cloud

Securing Your Data In The Cloud: an insiders perspective

Implementing Microsoft Azure Infrastructure Solutions 20533B; 5 Days, Instructor-led

Course 20533B: Implementing Microsoft Azure Infrastructure Solutions

Objectives. What is Cloud Computing? Security Problems and Liability Privacy Concerns Solutions Recap Challenges for the Customer

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

CLOUD COMPUTING SECURITY CONCERNS

Cloud Computing Governance & Security. Security Risks in the Cloud

FACT SHEET: Ransomware and HIPAA

A SURVEY OF CLOUD COMPUTING: NETWORK BASED ISSUES PERFORMANCE AND ANALYSIS

Jort Kollerie SonicWALL

Tufts University. Department of Computer Science. COMP 116 Introduction to Computer Security Fall 2014 Final Project. Guocui Gao

Encyclopedia of Information Assurance Suggested Titles: March 25, 2013 The following titles have not been contracted.

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

Cloud Courses Description

Security Controls What Works. Southside Virginia Community College: Security Awareness

PCI Compliance Updates

CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST618 Designing and Implementing Cloud Security CAST

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

Data Storage Security in Cloud Computing

Security Best Practices for Mobile Devices

Cloud and Security (Cloud hacked via Cloud) Lukas Grunwald

CONTROLLING DATA IN THE CLOUD: OUTSOURCING COMPUTATION WITHOUT OUTSOURCING CONTROL

Polish Financial Supervision Authority. Guidelines

A Decision Maker s Guide to Securing an IT Infrastructure

Secure Your Source Code and Digital Assets

IaaS Request for Proposal Template

Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Information security controls. Briefing for clients on Experian information security controls

Solutions and IT services for Oil-Gas & Energy markets

CLOUD COMPUTING. DAV University, Jalandhar, Punjab, India. DAV University, Jalandhar, Punjab, India

2012 Bit9 Cyber Security Research Report

Den Gode Webservice - Security Analysis

Cloud Courses Description

Application Based Access Control on Cloud Networks for Data Security

The Next Generation of Security Leaders

Cloud & Security. Dr Debabrata Nayak Debu.nayak@huawei.com

Four Top Emagined Security Services

of firms with remote users say Web-borne attacks impacted company financials.

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

"ASM s INTERNATIONAL E-Journal on Ongoing Research in Management and IT"

Cloud security and OpenStack Primož Cigoj Laboratorij za odprte sisteme in mreže IJS-E5.

Cloud Security:Threats & Mitgations

IT Security Incident Management Policies and Practices

Cloud Security Overview

Evolving Threats and Attacks: A Cloud Service Provider s viewpoint. John Howie Senior Director Online Services Security and Compliance

Transcription:

Cloud Computing, Security Issues and Potential Solution by Using ICMetrics or Biometrics Based Encryption Masudur Rahman, Wah Man Cheung Abstract- Cloud computing is an emerging field of computer networking which is providing opportunities to use hardware, infrastructure or application as a service. Many organisations are considering cloud computing as cost effective, secure and suitable solution for their needs. However security concerns are involved with using cloud services provided by a third party. In this paper, we investigate cloud computing by considering security awareness of the cloud services, critical security threats involved with cloud computing, good practice to ensure security within the cloud and the possibility of using ICMetrics or Biometrics based encryption to provide efficient security within a cloud computing environment. Keyword- Cloud computing, cloud computing threats and risks, good security practice for cloud computing, ICMetrics. I. Introduction Mike Gunderloy 1, a technology writer, compared the handling of information with the of handling the money. He explained the storage of the information in a way of keeping this in local computer s hard drive by considering the risk of failure of the drive or any potential disaster. Masudur Rahman, Faculty of Business and Services, Colchester Institute United Kingdom Wah Man Cheung Faculty of Business and Services, Colchester Institute United Kingdom School of Computer Science and Electronic Engineering, University of Essex United Kingdom On the other hand like money, users can keep information in a bank of server that exists in the cloud, where the user can withdraw their money anytime from any networked ATM. Robin Hasting 2 has defined the cloud as a massive network of cloud storage devices (servers and others) that exists somewhere over the internet. Cloud is a network of servers which is capable of running a service, providing storage opportunities or a platform to deliver certain tasks. Organisation can adopt the cloud computing solution by outsourcing or setting up their own. One of the main advantages of using cloud computing has been described by Chris Brogan 3, a renowned blogger. When his personal computer died, he faced less trouble than expected because of his increased use of cloud computing, documents were on Google Docs, Calendar was in his Gmail account, important information was stored in online storage space, extensive use of Flicker and Delicious (previously known as Del.icio.us). Using cloud computing provides a great deal of support and assurance in terms of data backup, disaster recovery and business continuity, while accessibility of the information from anywhere with the proper access right make the whole process very convenient in today s internet dependant world. In many cases, cloud computing provides a cost effective, efficient and secured networked service. For example, it might not be suitable for the small organisation to buy expensive servers, IDS or to employ a security expert to ensure their data security and backup, where organisations like Amazon, Google or Microsoft offer successful cloud solutions like SaaS, PaaS, or HaaS with adequate resources and security; which would be suitable for any organisation regardless of the size or revenue. However there are many security concerns involved with adopting the cloud computing within the organisation. 36

The following sections of this paper present a survey on security awareness of the cloud service providers, threats and risk involved in cloud computing, recommendations of good practice for cloud service providers and recommendations to implement ICMetrics or Biometrics within cloud based virtual machines (VM) for efficient and effective data encryption. II. A survey on cloud service providers Despite the advantages of using cloud computing, recent research shows serious security concerns exists. The Ponemon Institute s study security of cloud computing providers revealed some alarming issues related to the data security. The study sponsored by CA Technologies and conducted on 103 cloud computing providers from the US and 24 providers from different European countries, shows that a significant number of cloud service providers do not consider the security of the user s data as their responsibility but the responsibility of the customers to keep their information secure while stored in the cloud. According to this study, most of the service providers key focus was to provide features and functions according to the needs of the customers but these service providers do not provide the assurance of adequate security of these products or services. Figure 2 4 Most of the participant organisations do not consider the security as a key success factor neither do they believe that their products or services provide the assurance of protecting customers confidential information. A more alarming finding was 66% of US and 61% of European participants were not sure about adequate security of their cloud services (Figure 1). Furthermore, only 35% of European participants said management strongly agree or agree about the concern related to in cloud information security, while this number in US is only 23%. (Figure 2) Some key findings of this survey are 5 : Figure 3 4 Figure 1 4 Fewer than half of the cloud service providers from the US and Europe allocate 10% or less of their resources to ensure the security of the system or the information, which may not be enough to provide sufficient and reasonable security of the customer s information. (Figure 3) 37

Figure 4 4 Most cloud providers said that customers are interested in using a cloud service as it is cost effective. To make it cost effective, many of the participants do not have dedicated security expert within the organisation. (Figure 4) Most cloud providers said that the customers need to ensure their own data security. A significant number of the providers do not always conduct the penetration testing on their system to identify the vulnerabilities before deploying the system for the customers. The Ponemon study has raised a serious question about cloud service providers efforts to ensure the security of information; therefore organisations needs to be careful before adopting the cloud solution. However, the lack of assurance about security by the cloud service providers is not the only issue related to the use of cloud services, there are more serious concerns involved; which we will explore in the next section of this paper. III. Security threats for cloud computing To reduce the cost of an organisation s IT Operation and maintenance, many organisations are moving towards the 38 adoption of cloud solutions, which heavily depend on virtualisation. According to International Data Corporation (IDC) survey, 87.5% participants believe that security is the most important challenge of cloud computing 5. The security risks related to cloud computing can be categorised. Ramgovind 6 and Nitin Sing Chauhan 7 have suggested an approach of identifying security risks based on six major elements. These are: Confidentiality, Integrity, Authentication, Authorisation, Non-repudiation and Availability. Each of these elements of information security is crucial for customers who expect to ensure the data security, integrity, availability while the down time of the service needs to be minimised. Even though there is a significant development in security tools; it is important to identify the security threats and adopt a security framework or model to comply with the legislation as well as to keep the customers confidence. In the next section, we will categorise the threats involved in cloud computing. IV. Potential threats to the cloud computing API is a way of communicating with the cloud services from the client end. Cloud computing providers need to ensure the vulnerabilities of the API s have been identified and ensure the security of the API s. API vulnerabilities can be used by the attacker to attack the PaaS or IaaS based cloud service. According to Nagaraju Kilari 8, virtualisation is a key aspect of many cloud services where it has four important security threats namly isolation failure, dependency on Hypervisor, service disruption and shared technology. VM-Hopping and VM-Escape are two newest threats derived from these four virtualisation risks. Within cloud environment, one physical machine may have many virtual machines implemented with the help of Hypervisor technology. Attacker may use one virtual machine (VM) to spy on other VM s within the same physical host; this is called VM- Hoping. When the attacker takes the control of one VM, and by using that they may take control of the host machine as well as all the other VMs hosted on that machine; this is termed VM-Escape. Any of these incidents

may cause disruption or data loss for the organisation. Isolation is one of the key benefits of virtualisation as well as cloud computing, while this advantage can become one of the critical threats for the cloud if not deployed properly 9. VM- Hopping can be used as a result of the violation of isolation. But the worst case scenario is when the attacker takes control of a VM first and then manages to control the other VMs or host machine because of the weak isolation. If the host machine gets compromised, the attacker will be able to get root access permission. Disruption of the cloud service is becoming a critical issue because of the increasing threats of Denial of Service (DoS) attack or DDoS attack. But the situation gets worst when the host computer of the cloud service provider become the victim of the DoS or DDoS attack. If the host computer lost the service, all the VMs hosted in that host will face service disruption in terms of availability. The virtualisation process fully depends on the security of the underlying software kernel. A virtualisation host is capable of hosting many VMs where each of these VM s configuration information will be stored on this underlying kernel software. If this kernel gets compromised the attacker will be able to hijack the VMs hosted on this kernel. Loss of data is the burning issue in relation to data storage in cloud computing. If the data stored in a server is in different country, the legislation may allow ensuring data safety in different ways. Some cloud service providers may retain the client s information even after client has deleted the data. However, the biggest security threats may come from by the improper access control, lack of adequate security of information, hacking activities, insufficient authentication and authorisation process; any of these issues can be used by the attacker to gain access to the information. Cloud service providers are profit oriented businesses and may not disclose some known vulnerabilities to the clients. As a result, clients may become the victims of unknown threats. Furthermore, as the information will be hosted somewhere over the cloud a range of different people will be needed to ensure security or continuous service; employee, contractor or even the supplier of the cloud computing provider may become the threat to the information. Service providers need to have adequate system in place to 39 ensure the physical and logical security of the information along with sufficient hardware and software resources. Apart from the threats, explained above, cloud computing can be the victim of some common networked threats such as: virus, malware, Brute Force Attack against the secured password, Rainbow Table Attack, SQL Injection, Cross Site Scripting (XSS), DNS Poisoning, Phishing Attack, Session hijacking, Man-in-the-middle attack, application software vulnerabilities, inadequate service level agreement (SLA) etc.; where the client needs to be proactive and efficient to secure their own information 18. IV. Recommendations to secure cloud computing Cloud computing offers range of different and diversified services according to the market demand where the customers can use effective services in a cost effective way if security can be ensured. In this section, we recommend a set of good practice and possible future technical implementation guidelines to reduce the security threats of using cloud computing. Cloud computing service providers need to do penetration testing on their API s before implementing the system 8. API needs to be the subject of regular vulnerability checks because of new threats. All applications within cloud environment need to be checked and updated in a timely manner. Service providers need to ensure security in line with the law and legislations. Implementing effective IT governance within the organisation will help the service provider to offer better and secure service to the clients as well as to comply with the law 13. Advanced hardware and software security components such as IDS, IPS or networked antivirus have given the opportunity to protect an organisation from potential threats like DoS or DDoS attack. Effective system configuration with an efficient access control list and a hardware/software security infrastructure will play a significant role in securing cloud computing 14. Cloud computing providers keep data in different servers to reduce the risk of single point of failure and to ensure data backup, where the security of all physical storage needs to be ensured. Implementing ISO 27001 along with a disaster recovery/business continuity plan will help service providers to gain

the confidence of clients as well as to continue the business in adverse situation 15. Enterprise Single Sign on (ESSO) has been used by many service providers in recent years to allow clients to use different services with single sign on 16. This is an effective approach to providing better password security, where encryption may play a significant role. Encrypting data can provide a great deal of security while storing the data over the cloud. To do so, data needs to be encrypted before storing and needs to be decrypted while accessing the information. Encryption and decryption of large amount of data can be expensive and time consuming because of technology constraints. Public key encryption technology has been proven to be effective in ensuring security within large organisation. This type of encryption can be used to encrypt the password, specific information or even the whole data storage space; for example the hard drive. However, the biggest challenge with public key cryptography is to arrange the expensive and complicated technologies as well as the key management where the individual user needs to keep their own private key safe and secure 17. However, some of the security practice described above may not be adequate and efficient enough to provide the sufficient level of security to the client s information over the cloud. Furthermore, Ponemon Institute s research on cloud computing service providers has revealed the lack of commitment to considering security as an element of competitive advantage for cloud computing business. Therefore service providers need to have an effective and emerging security solution which will provide the best possible security for their clients information in a cost efficient way. In the next section, we will explain a potential security infrastructure for cloud computing by using ICMetrics or Biometrics to provide better security within cloud computing environment. VI. ICMetrics / Biometrics for the data encryption in cloud computing In many cryptographic systems, success of the cryptosystem will depend on the client end where Encryption/decryption key would be stored. If the end device gets compromised by the attacker, the crypto system will become vulnerable. Yevgeniya Kovalchuk 10 has described the ICMetrics technology, which is capable of generating unique identifiers based on electronic systems behaviour that can be used as cryptographic key. Biometrics technology can be used in a similar way to generating and storing an encryption key. However, Rhuma Tahir 11 argues that the low entropy and short length of the generated ICMatrics key can make it vulnerable against the cryptographic attack. Therefore, ICMetrics key needs to be strengthened by increasing the entropy and key length to ensure secure communication. Rhuma Tahir 12 has proposed the generation of strong ICMetrics session key based on SHA-2 key derivation function. This function is capable of generating the key with increased key length and high entropy. Implementation of ICMetrics within cloud based storage and client end would provide resilience against information security threats. Cloud providers may provide the opportunity for individual client s virtual machines, to be encrypted by the ICMetrics or Biometrics based encryption technology. Each and every single VM within the host will be encrypted by the ICMetrics therefore isolation of virtual machines (VMs) will be ensured. On client end, low resource embedded systems can be used for the ICMetrics functions. All the information stored within the cloud host computer will be encrypted by the client therefore if the host kernel gets compromised, client s information may not be disclosed. ICMetrics or Biometrics will provide a great deal of support to the client in terms managing the security keys. VII. Conclusion Cloud computing is one of the most important emerging technologies this century and is changing the landscape of networking. The technology offers many benefits along with some security threats. Following industry standards, good practice and complying with the law may allow the service providers to offer secure cloud computing but still many cloud service providers are not aware of the security concerns related to this technology. Using ICMatrics or Biometrics in cloud technology may help clients to ensure their information security while the service providers may consider this to be a cost effective security solution. 40

[13] Ron Speed, IT Governance and the Cloud: Principles and Practice for Governing Adoption of Cloud Computing VIII. Future work [14] Harold F. Tipton, Official (ISC) 2 We will investigate the opportunities for implementing ICMetrics or Biometrics encryption technology within a cloud computing service infrastructure and will try to build a model for this. We believe implementing this technology will provide better resilience within cloud storage against the security threats. CBK, Second Edition Guide to the SSCP [15] Charu Pelnekar, Planning for and Implementing ISO 27001 [16] Michael Mendelson, Securing Cloud based Applications How Enterprise Single Sign-on Was Implemented to Drive Value [17] Shon Harris, CISSP Exam Guide, Third Edition. [18] Kimberly Graves, Certified Ethical Hacker Study Guide, Version 6 References About Author : [1] Mike Gunderloy, Is Your Information under the Mattress or in the ATM? Web Worker Daily, July 30,2008, http://webworkerdaily.com/2008/07/30/informati on-under-mattress-or-in-atm (accessed March 17,2013). [2] Robin Hastings, Cloud Computing, Library Technology Reports, www.techsource.ala.org, May/June 2009 (accessed July 10, 2013). [3] Chris Brogan, Life In The Clouds, Chris Brogan:Community and Social Media, July 31, 2008, http://www.chrisbrogan.com/life-in-the- clouds/, (accessed July 10, 2013). [4] Ponemon Study on Cloud Security: http://www.ca.com/~/media/files/industryresear ch/security-of-cloud-computing-providers-final- april- 2011.pdf (Accessed 11 th July 2013) [5] Haoyong Lv and Yin Hu, Analysis and Research about Cloud Computing Security Protect Policy, IEEE, 2011, pp. 214-216 [6] Ramgovind S, Eloff MM and Smith E, The Management of Security in Cloud Computing, IEEE, 2010. [7] Nitin Singh Chauhan and Ashutosh Saxena, Energy Analysis of Security for Cloud Application. [8] Nagaraju Kilari and Dr. R. Sridaran, A Survey on Security Threats for Cloud Computing [9] Jyotiprakash Sahoo, Mohapatra and Lath R, Virtualization: A Survey on Concepts, Taxonomy and Associated Security Issues, IEEE, 2010, pp.222-226 [10] Yevgeniya Kovalchuk, Housheng Hu, Dongbing Gu, Klaus McDonald-Maier, ICMetrics Low Resource Embedded Systems [11] Rhuma Tahir, Housheng Hu, Dongbing Gu, Klaus McDonald-Maier, Resilience against Brute Force and Rainbow Table Attacks using Strong ICMetrics Session Key Pairs [12] Rhuma Tahir, Housheng Hu, Dongbing Gu, Klaus McDonald-Maier, A Scheme for the Generation of Strong ICMetrics Session Key Pairs for Secure Embedded System Applications Keen to do research on security of cloud computing and implement an effective and efficient security solution for cloud service providers as well as the users. Masudur Rahman 41

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information